The internet is brittle

How a bit of bad code could bring down the whole world. The worst internet outage hasn’t happened yet The world is still dealing with the fallout from [the CrowdStrike screwup that took millions of computers offline last week](. Some IT workers [have had to fix each computer manually](, walking from machine to machine [with a USB stick](, and some remote workers [say]( they’re locked out of their computers with no fix in sight. All because of [a few lines of bad code](. It started in the early morning hours of Friday, July 19, when the cybersecurity company CrowdStrike pushed an update to its millions of customers. Unfortunately for all of them, there was a mistake in the code that caused Windows computers to crash repeatedly. This caused lots of problems for airlines, banks, hospitals, TV broadcasters, government agencies, and everyone who interacted with these organizations as [the dreaded “blue screen of death”]( took over millions of computers. It took CrowdStrike [just 78 minutes]( to identify the problem and issue a fix, but because many computers needed to be manually restarted, the problems persisted through the weekend and into this week. As of Wednesday morning, Delta Air Lines [was still experiencing delays]( due to the outage. The ongoing Delta flight cancellations [separated countless unaccompanied minors from their parents for days](. This is all annoying and anxiety-inducing. But a massive outage like this — whether caused by a faulty update, as was the case with CrowdStrike, or by a cyberattack — could have been much worse. Much worse. Like, getting kicked back to the 19th century overnight worse, and it’s not clear what we can do to stop it. “This was just an accident,” Mark Atwood, an open source policy wonk and former Amazon employee, told me. “This could have been something that … just turned everybody’s computers into bricks, possibly unrepairable.” The really scary thing is that there’s honestly not much you or I can do to prevent a catastrophe like that from happening in the future. If you work for CrowdStrike, sure, you could do your part, but for the most part, building a more resilient internet is a job for the federal government. As trite as it may sound, one thing you can do is call your representatives in Congress and demand action. Because even if there’s not much you can do on an individual level to prevent the next big internet outage or cyberattack, you will likely be affected. One big problem — and a key reason why this outage was so huge — is that CrowdStrike controls so much market share, and its software is so deeply integrated into so many computers, that one bad update can bring them all down. Regulations require companies in critical industries, like [health care]( and [banking](, to protect people from harm, which means they must follow cybersecurity guidelines and use endpoint security software, which protects internet-connected devices from cyberattacks. CrowdStrike [tends to be the default option]( to comply with these regulations, and in 2021, the Cybersecurity and Infrastructure Security Agency (CISA) even picked CrowdStrike [to secure multiple government agencies](. CrowdStrike now controls nearly 25 percent of the market for endpoint security. So when CrowdStrike pushes out a bad update, a lot of people are affected. This particular incident affected 8.5 million Windows devices, [according to Microsoft](. Lawmakers and regulators can and should learn from this CrowdStrike fiasco. It could be an opportunity for the federal government to redouble its efforts at improving cybersecurity and for security companies to do better. We have to demand they build products that are truly secure, says Dan O’Dowd, CEO of Green Hills Software and founder of [the Dawn Project](, an organization dedicated to making computers safe for humans. “We know how to do it. It’s been done for years and years in the military and in aviation,” O’Dowd told me. “But it does cost more, and people just have to accept that we’re going to have a somewhat higher cost, so that we don’t lose it all.” Cybersecurity experts [talk about “the big one” a lot]( these days, and that’s what O’Dowd is referring to when he says we could lose it all. The big one might involve hackers [attacking physical infrastructure](, like the power grid, water treatment plants, or shipping ports. Bad actors [could target elections](, hack voting machines, and spread misinformation. These kinds of things are actually already happening, but so far, there has not been a truly catastrophic outage or an attack so successful that it’s brought down large swaths of modern society. Not yet, at least. The CrowdStrike incident should be a wakeup call, a reminder that the big one is coming and that there’s more we could do to stop it. Republican lawmakers have called on CrowdStrike CEO George Shultz [to testify before the House Homeland Security Committee]( to explain what happened to cause the outage and what the company was doing about it. CrowdStrike told me it was “actively in contact with relevant congressional committees,” and on Wednesday [published a preliminary incident report]( detailing what went wrong and how it planned to prevent something like this from happening in the future. Attention on Capitol Hill may also signal interest in legislation to create new regulations for the cybersecurity industry, although nothing has been announced. Meanwhile, FTC Chair Lina Khan [is drawing attention to]( how the concentration of power can mean “a single glitch results in a system-wide outage, affecting industries from healthcare and airlines to banks and auto-dealers.” She seems to suggest that a better regulated cybersecurity industry could reduce that harm. Others, [including Atwood](, have pointed out that, in some ways, the regulations are in place, but companies like CrowdStrike still aren’t following best practices. “Everyone believed there was no silver bullet, there was no cure for this other than try to think harder,” Atwood told me. “There are still bullets and best practices that, if you do them, the odds of making mistakes like this fall a lot.” Truth be told, there’s no easy way to make our networks and computers completely secure. But the federal government is continuing to try. It established CISA in 2018 to do everything from securing elections to protecting the power grid [from electromagnetic pulse, or EMP, attacks](. President Joe Biden also [issued an executive order in 2021]( to improve the nation’s cybersecurity with 55 new requirements, [almost all of which have now been completed](. (That executive order is also what led CISA to pick CrowdStrike as the federal government’s endpoint security partner.) And this year, following [a series of breaches]( during the 2020 midterm elections, CISA also launched a program to bolster election security, including protections for non-voting systems, like voter registration databases. That just represents a handful of the federal government’s efforts to avoid a catastrophic cyberattack or outage. And the cybersecurity industry [is growing in lockstep]( with increasing anxiety about such a disaster. Spending on cybersecurity rose about 70 percent from 2019 to 2023, [according to Moody’s](, and the rise of generative AI [will only complicate the picture]( in the years to come. The 2024 election cycle [has already seen AI-generated robocalls]( that mimicked President Biden’s voice and told people not to vote, which does not sound as frightening as a cyberattack bringing down a power plant, but is an attack on democracy nevertheless. The big one is still out there, lurking in some unknown future, waiting for the right string of events to occur and lead to catastrophe. Some of the worst nightmare scenarios have actually already happened, only not at a global scale. Ransomware attacks on hospitals and health care providers that threaten lives [are a regular occurrence]( in the US these days. After [taking out a portion of Ukraine’s power grid]( with a cyberattack in 2015 and 2016, Russia [used a novel cyberattack]( to cut the heat to 600 buildings in the Ukrainian city of Lviv this past January. So far, and very luckily, we have not seen a cyberattack lead to a nuclear disaster, but [such a thing]( is [not out]( of [the realm of possibility](. “So I just rewatched Chernobyl last week,” Atwood said, referring to [the HBO series]( about the 1986 nuclear disaster. “And that was one of the key lines: Why worry about something that hasn’t happened yet?” That’s how some cybersecurity executives think about the unimaginable, he told me, even when their own employees are warning against it. If we’ve learned anything from the past week — or even the past decade — it’s that the scale of outages and cyberattacks is getting larger as the world depends more on internet-connected devices to run itself. There’s no better time than now to reconsider whether we’re doing enough to stop the next one. —Adam Clark Estes, senior technology correspondent Bloomberg via Getty Images [The worst internet outage still hasn’t happened yet]( How a bit of bad code could bring down the whole world.   Anadolu via Getty Images [ISIS? Russian sabotage? The biggest security threats at these Olympics.]( Officials say Paris will be the “safest place on earth” for the Olympics. Here’s what they’re up against.   [Robot hand holding dollar bills against a beige background.]( Paper Boat Creative/Getty Images [Artificial intelligence isn’t a good argument for basic income]( A major study backed by OpenAI’s Sam Altman shows unconditional cash has benefits that have nothing to do with AI.    [Learn more about RevenueStripe...](   [NPR host Mary Louise Kelly interviews Secretary of State Anthony Blinken]( [With Biden out of the election, can US foreign policy be Trump-proofed?]( The trickiest country for American foreign policy right now is ... America.   Future Publishing via Getty Images [Traveling this summer? Maybe don’t let the airport scan your face.]( You have the right to opt out of facial recognition tech. Here’s how.   Become a Vox Member Support our journalism — become a Vox Member and you’ll get exclusive access to the newsroom with members-only perks including newsletters, bonus podcasts and videos, and more. [Join our community](   [Listen To This] [Listen to This]( [Do we live inside an enormous black hole?]( It’s possible that the entire observable universe is inside a black hole. All we need to do to find out is … build a gigantic particle collider around the moon. [Listen to Apple Podcasts](   [This is cool] [Paris cleaned up the Seine so Olympians could swim in it](  [Learn more about RevenueStripe...](   [Facebook]( [Twitter]( [YouTube]( This email was sent to {EMAIL}. Manage your [email preferences]( , or [unsubscribe](param=tech)  to stop receiving emails from Vox Media. View our [Privacy Notice]( and our [Terms of Service](. Vox Media, 1201 Connecticut Ave. NW, Washington, DC 20036. Copyright © 2024. All rights reserved.